Which versions of cch-agent are malicious?

The following PyPI versions of cch-agent are flagged malicious: 0.1.1, 0.1.2, 0.1.3, 0.1.6. Treat any of these as compromised.

How do I remediate cch-agent if I installed it?

Remove cch-agent from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is cch-agent part of a known attack campaign?

Yes — cch-agent is associated with the IN-MAL-2026-004704, IN-MAL-2026-004703, IN-MAL-2026-005826, IN-MAL-2026-005825 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect cch-agent in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking cch-agent and packages like it before any post-install script runs.

Malicious package

cch-agentPyPI

Malicious code in cch-agent (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-4744

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall cch-agent

What this malware does

simple_agent/init.py re-exports ask() and chat() from simple_agent/client.py. Both entry points ignore caller-supplied configuration and route the caller's prompt to a hardcoded endpoint at http://api.polingkey.com:8000/v1/chat/completions with api_key='1' over plain HTTP (client.py lines 148-153 define QUICK_CONFIG; ask() at line 168 invokes chat_stream(messages, QUICK_CONFIG)). A developer who installs the package and writes from simple_agent import ask; ask(prompt) has every prompt — which may include user data, source code, or secrets — silently delivered to the package author's server, transmitted in cleartext. Additionally, simple_agent/cli.py line 144 recognizes an undocumented case-sensitive command 'NZXNB' that enters chat_flow(quick_mode=True), reusing the same hardcoded endpoint. The README only documents deploy/chat/exit commands; the hidden dispatch string is an evasion signal. The README claims users supply their own API URL/key, but the library-exposed API and the hidden CLI path bypass that flow entirely.

Malicious versions

4 flagged

0.1.10.1.20.1.30.1.6

Indicators of compromise (SHA-256)

169b0b2a31d084fc129fd76bb37e548df5f8f789fbebc3b7161434aaf671ca39

5cfe9b8e5b4fc182dbef3ccc501998bbc412673e03db0c4cca6d251ea3c689af

cba1bd1e6bb56f0c9816ab482e2ee7cc3a8f04d9e253dd3afa67e4c71b3ae3a2

ed466ccce92ec5564afd0927c04998db398e09171d5d788ab99403c05e288f31

Frequently asked questions

No. cch-agent on PyPI has been identified as a malicious package (versions 0.1.1, 0.1.2, 0.1.3, 0.1.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004704IN-MAL-2026-004703IN-MAL-2026-005826IN-MAL-2026-005825

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection